5.3

CVE-2025-58189

ALPN negotiation error contains attacker controlled information in crypto/tls

When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
GolangGo Version < 1.24.8
GolangGo Version >= 1.25.0 < 1.25.2
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.44% 0.354
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE-532 Insertion of Sensitive Information into Log File

The product writes sensitive information to a log file.

https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI
Mailing List
Release Notes
https://go.dev/cl/707776
Patch
https://go.dev/issue/75652
Issue Tracking
https://pkg.go.dev/vuln/GO-2025-4008
Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/10/08/1
Third Party Advisory
Mailing List
Release Notes